mihari 5.2.1 → 5.2.3

data/lib/mihari/commands/rule.rb

@@ -5,60 +5,62 @@ require "pathname"
 module Mihari
   module Commands
     module Rule
-      def self.included(thor)
-        thor.class_eval do
-          desc "validate [PATH]", "Validate a rule file"
-          #
-          # Validate format of a rule
-          #
-          # @param [String] path
-          #
-          def validate(path)
-            rule = Structs::Rule.from_path_or_id(path)
-
-            begin
-              rule.validate!
-              Mihari.logger.info "Valid format. The input is parsed as the following:"
-              Mihari.logger.info rule.data.to_yaml
-            rescue RuleValidationError
-              nil
-            end
-          end
-
-          desc "init [PATH]", "Initialize a new rule file"
-          #
-          # Initialize a new rule file
-          #
-          # @param [String] path
-          #
-          #
-          def init(path = "./rule.yml")
-            warning = "#{path} exists. Do you want to overwrite it? (y/n)"
-            return if Pathname(path).exist? && !(yes? warning)
-
-            initialize_rule path
-
-            Mihari.logger.info "A new rule is initialized: #{path}."
-          end
-
-          no_commands do
+      class << self
+        def included(thor)
+          thor.class_eval do
+            desc "validate [PATH]", "Validate a rule file"
             #
-            # @return [Mihari::Structs::Rule]
+            # Validate format of a rule
             #
-            def rule_template
-              Structs::Rule.from_path File.expand_path("../templates/rule.yml.erb", __dir__)
+            # @param [String] path
+            #
+            def validate(path)
+              rule = Structs::Rule.from_path_or_id(path)
+
+              begin
+                rule.validate!
+                Mihari.logger.info "Valid format. The input is parsed as the following:"
+                Mihari.logger.info rule.data.to_yaml
+              rescue RuleValidationError
+                nil
+              end
             end
 
+            desc "init [PATH]", "Initialize a new rule file"
             #
-            # Create a new rule
+            # Initialize a new rule file
             #
             # @param [String] path
-            # @param [Dry::Files] files
             #
-            # @return [nil]
             #
-            def initialize_rule(path, files = Dry::Files.new)
-              files.write(path, rule_template.yaml)
+            def init(path = "./rule.yml")
+              warning = "#{path} exists. Do you want to overwrite it? (y/n)"
+              return if Pathname(path).exist? && !(yes? warning)
+
+              initialize_rule path
+
+              Mihari.logger.info "A new rule file has been initialized: #{path}."
+            end
+
+            no_commands do
+              #
+              # @return [Mihari::Structs::Rule]
+              #
+              def rule_template
+                Structs::Rule.from_path File.expand_path("../templates/rule.yml.erb", __dir__)
+              end
+
+              #
+              # Create a new rule
+              #
+              # @param [String] path
+              # @param [Dry::Files] files
+              #
+              # @return [nil]
+              #
+              def initialize_rule(path, files = Dry::Files.new)
+                files.write(path, rule_template.yaml)
+              end
             end
           end
         end

data/lib/mihari/commands/search.rb

@@ -0,0 +1,88 @@
+# frozen_string_literal: true
+
+module Mihari
+  module Commands
+    module Search
+      class << self
+        class RuleWrapper
+          include Mixins::ErrorNotification
+
+          # @return [Nihari::Structs::Rule]
+          attr_reader :rule
+
+          # @return [Boolean]
+          attr_reader :force_overwrite
+
+          def initialize(rule:, force_overwrite:)
+            @rule = rule
+            @force_overwrite = force_overwrite
+          end
+
+          def force_overwrite?
+            force_overwrite
+          end
+
+          #
+          # @return [Boolean]
+          #
+          def diff?
+            model = Mihari::Rule.find(rule.id)
+            model.data != rule.data.deep_stringify_keys
+          rescue ActiveRecord::RecordNotFound
+            false
+          end
+
+          def update_or_create
+            rule.model.save
+          end
+
+          def run
+            with_error_notification do
+              alert = rule.analyzer.run
+              if alert
+                data = Mihari::Entities::Alert.represent(alert)
+                puts JSON.pretty_generate(data.as_json)
+              else
+                Mihari.logger.info "There is no new artifact found"
+              end
+            end
+          end
+        end
+
+        def included(thor)
+          thor.class_eval do
+            desc "search [PATH]", "Search by a rule"
+            method_option :force_overwrite, type: :boolean, aliases: "-f", desc: "Force an overwrite the rule"
+            #
+            # Search by a rule
+            #
+            # @param [String] path_or_id
+            #
+            def search(path_or_id)
+              Mihari::Database.with_db_connection do
+                rule = Structs::Rule.from_path_or_id path_or_id
+
+                begin
+                  rule.validate!
+                rescue RuleValidationError
+                  return
+                end
+
+                force_overwrite = options["force_overwrite"] || false
+                wrapper = RuleWrapper.new(rule: rule, force_overwrite: force_overwrite)
+
+                if wrapper.diff? && !force_overwrite
+                  message = "There is diff in the rule (#{rule.id}). Are you sure you want to overwrite the rule? (y/n)"
+                  return unless yes?(message)
+                end
+
+                wrapper.update_or_create
+                wrapper.run
+              end
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/mihari/commands/version.rb

@@ -3,13 +3,15 @@
 module Mihari
   module Commands
     module Version
-      def self.included(thor)
-        thor.class_eval do
-          map %w[--version -v] => :__print_version
+      class << self
+        def included(thor)
+          thor.class_eval do
+            map %w[--version -v] => :__print_version
 
-          desc "--version, -v", "Print the version"
-          def __print_version
-            puts Mihari::VERSION
+            desc "--version, -v", "Print the version"
+            def __print_version
+              puts Mihari::VERSION
+            end
           end
         end
       end

data/lib/mihari/commands/web.rb

@@ -3,29 +3,32 @@
 module Mihari
   module Commands
     module Web
-      def self.included(thor)
-        thor.class_eval do
-          desc "web", "Launch the web app"
-          method_option :port, type: :numeric, default: 9292, desc: "Hostname to listen on"
-          method_option :host, type: :string, default: "localhost", desc: "Port to listen on"
-          method_option :threads, type: :string, default: "0:5", desc: "min:max threads to use"
-          method_option :verbose, type: :boolean, default: true, desc: "Report each request"
-          method_option :worker_timeout, type: :numeric, default: 60, desc: "Worker timeout value (in seconds)"
-          method_option :hide_config_values, type: :boolean, default: false,
-            desc: "Whether to hide config values or not"
-          method_option :open, type: :boolean, default: true, desc: "Whether to open the app in browser or not"
-          def web
-            Mihari.config.hide_config_values = options["hide_config_values"]
-            # set rack env as production
-            ENV["RACK_ENV"] ||= "production"
-            Mihari::App.run!(
-              port: options["port"],
-              host: options["host"],
-              threads: options["threads"],
-              verbose: options["verbose"],
-              worker_timeout: options["worker_timeout"],
-              open: options["open"]
-            )
+      class << self
+        def included(thor)
+          thor.class_eval do
+            desc "web", "Launch the web app"
+            method_option :port, type: :numeric, default: 9292, desc: "Hostname to listen on"
+            method_option :host, type: :string, default: "localhost", desc: "Port to listen on"
+            method_option :threads, type: :string, default: "0:5", desc: "min:max threads to use"
+            method_option :verbose, type: :boolean, default: true, desc: "Report each request"
+            method_option :worker_timeout, type: :numeric, default: 60, desc: "Worker timeout value (in seconds)"
+            method_option :hide_config_values, type: :boolean, default: false,
+              desc: "Whether to hide config values or not"
+            method_option :open, type: :boolean, default: true, desc: "Whether to open the app in browser or not"
+            method_option :rack_env, type: :string, default: "production", desc: "Rack environment"
+            def web
+              Mihari.config.hide_config_values = options["hide_config_values"]
+              # set rack env as production
+              ENV["RACK_ENV"] ||= options["rack_env"]
+              Mihari::App.run!(
+                port: options["port"],
+                host: options["host"],
+                threads: options["threads"],
+                verbose: options["verbose"],
+                worker_timeout: options["worker_timeout"],
+                open: options["open"]
+              )
+            end
           end
         end
       end

data/lib/mihari/emitters/base.rb

@@ -6,7 +6,20 @@ module Mihari
       include Mixins::Configurable
       include Mixins::Retriable
 
-      def initialize(*)
+      # @return [Array<Mihari::Artifact>]
+      attr_reader :artifacts
+
+      # @return [Mihari::Structs::Rule]
+      attr_reader :rule
+
+      #
+      # @param [Array<Mihari::Artifact>] artifacts
+      # @param [Mihari::Structs::Rule] rule
+      # @param [Hash] **_options
+      #
+      def initialize(artifacts:, rule:, **_options)
+        @artifacts = artifacts
+        @rule = rule
       end
 
       class << self

data/lib/mihari/emitters/database.rb

@@ -4,28 +4,21 @@ module Mihari
   module Emitters
     class Database < Base
       def valid?
-        true
+        configured?
       end
 
       #
       # Create an alert
       #
-      # @param [Arra<Mihari::Artifact>] artifacts
-      # @param [Mihari::Structs::Rule] rule
-      #
       # @return [Mihari::Alert]
       #
-      def emit(artifacts:, rule:)
+      def emit
         return if artifacts.empty?
 
         tags = rule.tags.filter_map { |name| Tag.find_or_create_by(name: name) }.uniq
         taggings = tags.map { |tag| Tagging.new(tag_id: tag.id) }
 
-        alert = Alert.new(
-          artifacts: artifacts,
-          taggings: taggings,
-          rule_id: rule.id
-        )
+        alert = Alert.new(artifacts: artifacts, taggings: taggings, rule_id: rule.id)
         alert.save
         alert
       end

data/lib/mihari/emitters/misp.rb

@@ -9,11 +9,22 @@ module Mihari
       # @return [String, nil]
       attr_reader :api_key
 
-      def initialize(*args, **kwargs)
-        super(*args, **kwargs)
+      # @return [Array<Mihari::Artifact>]
+      attr_reader :artifacts
 
-        @url = kwargs[:url] || Mihari.config.misp_url
-        @api_key = kwargs[:api_key] || Mihari.config.misp_api_key
+      # @return [Mihari::Structs::Rule]
+      attr_reader :rule
+
+      #
+      # @param [Array<Mihari::Artifact>] artifacts
+      # @param [Mihari::Structs::Rule] rule
+      # @param [Hash] **options
+      #
+      def initialize(artifacts:, rule:, **options)
+        super(artifacts: artifacts, rule: rule, **options)
+
+        @url = options[:url] || Mihari.config.misp_url
+        @api_key = options[:api_key] || Mihari.config.misp_api_key
       end
 
       # @return [Boolean]
@@ -40,7 +51,7 @@ module Mihari
       #
       # @return [::MISP::Event]
       #
-      def emit(rule:, artifacts:, **_options)
+      def emit
         return if artifacts.empty?
 
         client.create_event({

data/lib/mihari/emitters/slack.rb

@@ -121,11 +121,16 @@ module Mihari
       # @return [String]
       attr_reader :username
 
-      def initialize(*args, **kwargs)
-        super(*args, **kwargs)
+      #
+      # @param [Array<Mihari::Artifact>] artifacts
+      # @param [Mihari::Structs::Rule] rule
+      # @param [Hash] **_options
+      #
+      def initialize(artifacts:, rule:, **options)
+        super(artifacts: artifacts, rule: rule, **options)
 
-        @webhook_url = kwargs[:webhook_url] || Mihari.config.slack_webhook_url
-        @channel = kwargs[:channel] || Mihari.config.slack_channel || DEFAULT_CHANNEL
+        @webhook_url = options[:webhook_url] || Mihari.config.slack_webhook_url
+        @channel = options[:channel] || Mihari.config.slack_channel || DEFAULT_CHANNEL
         @username = DEFAULT_USERNAME
       end
 
@@ -152,13 +157,11 @@ module Mihari
       end
 
       #
-      # Build attachements
-      #
-      # @param [Array<Mihari::Artifact>] artifacts
+      # Build attachments
       #
       # @return [Array<Mihari::Emitters::Attachment>]
       #
-      def to_attachments(artifacts)
+      def attachments
         artifacts.map do |artifact|
           Attachment.new(data: artifact.data, data_type: artifact.data_type).to_a
         end.flatten
@@ -167,11 +170,9 @@ module Mihari
       #
       # Build a text
       #
-      # @param [Mihari::Structs::Rule] rule
-      #
       # @return [String]
       #
-      def to_text(rule)
+      def text
         tags = rule.tags
         tags = ["N/A"] if tags.empty?
 
@@ -182,12 +183,9 @@ module Mihari
         ].join("\n")
       end
 
-      def emit(rule:, artifacts:, **_options)
+      def emit
         return if artifacts.empty?
 
-        attachments = to_attachments(artifacts)
-        text = to_text(rule)
-
         notifier.post(text: text, attachments: attachments, mrkdwn: true)
       end
 

data/lib/mihari/emitters/the_hive.rb

@@ -12,12 +12,17 @@ module Mihari
       # @return [String, nil]
       attr_reader :api_version
 
-      def initialize(*args, **kwargs)
-        super(*args, **kwargs)
+      #
+      # @param [Array<Mihari::Artifact>] artifacts
+      # @param [Mihari::Structs::Rule] rule
+      # @param [Hash] **options
+      #
+      def initialize(artifacts:, rule:, **options)
+        super(artifacts: artifacts, rule: rule, **options)
 
-        @url = kwargs[:url] || Mihari.config.thehive_url
-        @api_key = kwargs[:api_key] || Mihari.config.thehive_api_key
-        @api_version = kwargs[:api_version] || Mihari.config.thehive_api_version
+        @url = options[:url] || Mihari.config.thehive_url
+        @api_key = options[:api_key] || Mihari.config.thehive_api_key
+        @api_version = options[:api_version] || Mihari.config.thehive_api_version
       end
 
       # @return [Boolean]
@@ -39,15 +44,11 @@ module Mihari
       #
       # Create a Hive alert
       #
-      # @param [Arra<Mihari::Artifact>] artifacts
-      # @param [Mihari::Structs::Rule] rule
-      #
       # @return [::MISP::Event]
       #
-      def emit(rule:, artifacts:, **_options)
+      def emit
         return if artifacts.empty?
 
-        payload = payload(rule: rule, artifacts: artifacts)
         client.alert(payload)
       end
 
@@ -102,18 +103,15 @@ module Mihari
       #
       # Build payload for alert
       #
-      # @param [Arra<Mihari::Artifact>] artifacts
-      # @param [Mihari::Structs::Rule] rule
-      #
-      # @return [<Type>] <description>
+      # @return [Hash]
       #
-      def payload(rule:, artifacts:)
-        return v4_payload(rule: rule, artifacts: artifacts) if normalized_api_version.nil?
+      def payload
+        return v4_payload if normalized_api_version.nil?
 
-        v5_payload(rule: rule, artifacts: artifacts)
+        v5_payload
       end
 
-      def v4_payload(rule:, artifacts:)
+      def v4_payload
         {
           title: rule.title,
           description: rule.description,
@@ -130,7 +128,7 @@ module Mihari
         }
       end
 
-      def v5_payload(rule:, artifacts:)
+      def v5_payload
         {
           title: rule.title,
           description: rule.description,

data/lib/mihari/emitters/webhook.rb

@@ -55,30 +55,26 @@ module Mihari
       # @return [String, nil]
       attr_reader :template
 
-      def initialize(*args, **kwargs)
-        super(*args, **kwargs)
-
-        url = kwargs[:url]
-        headers = kwargs[:headers] || {}
-        method = kwargs[:method] || "POST"
-        template = kwargs[:template]
-
-        @url = Addressable::URI.parse(url)
-        @headers = headers
-        @method = method
-        @template = template
+      #
+      # @param [Array<Mihari::Artifact>] artifacts
+      # @param [Mihari::Structs::Rule] rule
+      # @param [Hash] **options
+      #
+      def initialize(artifacts:, rule:, **options)
+        super(artifacts: artifacts, rule: rule, **options)
+
+        @url = Addressable::URI.parse(options[:url])
+        @headers = options[:headers] || {}
+        @method = options[:method] || "POST"
+        @template = options[:template]
       end
 
-      def emit(artifacts:, rule:)
+      def emit
         return if artifacts.empty?
 
-        res = nil
-
-        payload_ = payload_as_string(artifacts: artifacts, rule: rule)
-        payload = JSON.parse(payload_)
-
         client = Mihari::HTTP.new(url, headers: headers)
 
+        res = nil
         case method
         when "GET"
           res = client.get
@@ -100,13 +96,10 @@ module Mihari
       #
       # Convert payload into string
       #
-      # @param [Array<Mihari::Artifact>] artifacts
-      # @param [Mihari::Structs::Rule] rule
-      #
       # @return [String]
       #
-      def payload_as_string(artifacts:, rule:)
-        @payload_as_string ||= [].tap do |out|
+      def payload_as_string
+        [].tap do |out|
           options = {}
           options[:template] = File.read(template) unless template.nil?
 
@@ -118,6 +111,13 @@ module Mihari
           out << payload_template.result
         end.first
       end
+
+      #
+      # @return [Hash]
+      #
+      def payload
+        JSON.parse payload_as_string
+      end
     end
   end
 end

data/lib/mihari/enrichers/whois.rb

@@ -5,6 +5,7 @@ require "whois-parser"
 module Mihari
   module Enrichers
     class Whois < Base
+      # @type [Hash]
       @memo = {}
 
       # @return [Boolean]

data/lib/mihari/feed/parser.rb

@@ -5,6 +5,7 @@ require "jr/cli/core_ext"
 module Mihari
   module Feed
     class Parser
+      # @return [Array<Hash>, Array<Array<String>>]
       attr_reader :data
 
       #

data/lib/mihari/feed/reader.rb

@@ -6,7 +6,23 @@ require "insensitive_hash"
 module Mihari
   module Feed
     class Reader
-      attr_reader :url, :headers, :params, :json, :data, :method
+      # @return [String]
+      attr_reader :url
+
+      # @return [Hash]
+      attr_reader :headers
+
+      # @return [Hash, nil]
+      attr_reader :params
+
+      # @return [Hash, nil]
+      attr_reader :json
+
+      # @return [Hash, nil]
+      attr_reader :data
+
+      # @return [String]
+      attr_reader :method
 
       def initialize(url, headers: {}, method: "GET", params: nil, json: nil, data: nil)
         @url = Addressable::URI.parse(url)
@@ -20,6 +36,9 @@ module Mihari
         headers["content-type"] = "application/json" unless json.nil?
       end
 
+      #
+      # @return [Array<Hash>]
+      #
       def read
         return read_file(url.path) if url.scheme == "file"
 
@@ -33,11 +52,9 @@ module Mihari
 
         body = res.body
         content_type = res["Content-Type"].to_s
-        if content_type.include?("application/json")
-          convert_as_json(body)
-        else
-          convert_as_csv(body)
-        end
+        return convert_as_json(body) if content_type.include?("application/json")
+
+        convert_as_csv(body)
       end
 
       #
@@ -48,10 +65,10 @@ module Mihari
       # @return [Array<Hash>]
       #
       def convert_as_json(text)
-        data = JSON.parse(text, symbolize_names: true)
-        return data if data.is_a?(Array)
+        parsed = JSON.parse(text, symbolize_names: true)
+        return parsed if parsed.is_a?(Array)
 
-        [data]
+        [parsed]
       end
 
       #
@@ -77,11 +94,9 @@ module Mihari
       def read_file(path)
         text = File.read(path)
 
-        if path.end_with?(".json")
-          convert_as_json text
-        else
-          convert_as_csv text
-        end
+        return convert_as_json(text) if path.end_with?(".json")
+
+        convert_as_csv text
       end
     end
   end